To enable USM Anywhere to monitor your Azure subscription, you must create an application that grants permission to USM Anywhere to fetch data using the Azure SDK and Azure REST API. USM Anywhere requires the following credentials:
|Azure Credential||USM Anywhere Field Name|
|azure_tenant_id||Azure Tenant ID|
|azure_subscription_id||Azure Subscription ID|
|azure_application_id||Azure Application ID|
|azure_application_key||Azure Application Key|
If you're a Windows OS user, you can do this in one of two ways:
- Using a Powershell script, which is available through the USM Anywhere Setup wizard.
- Manually, within your Azure subscription.
If you're not a Windows OS user, you must generate these manually from your Azure subscription.
Important: You must have global administrator privileges to create an application and obtain credentials.
The subscription ID is required when you complete the Azure Credentials step of the sensor setup in USM Anywhere.
To get the Azure subscription ID
- Log in to the Microsoft Azure console (https://portal.azure.com).
From the Azure Dashboard, select your subscription.
From the Subscription page, copy your Subscription ID and save it somewhere that you can access later.
To allow USM Anywhere to access Azure resources, you must set up an Azure Active Directory (AD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. application and assign the required permissions to it. To create the application and obtain the remaining Azure credentials (tenant ID, application ID, and application key), you must complete the Microsoft Azure standard procedure for adding a new application registration.
As you add and configure the new application, copy the tenant ID, application ID, and application key. This information is required when you complete the Azure Credentials step of the sensor setup in USM Anywhere.
If you want to use USM Anywhere to monitor all of your Azure resources, you should associate it with your Microsoft Azure subscription as a whole.
To associate the application with the entire subscription
- Log in to the new Microsoft Azure portal (https://portal.azure.com).
- Go to More Services > Subscriptions, locate the subscription, and select it.
Select Access control (IAM) in the navigation list.
This reveals a new blade that displays the roles and permissions that exist for the subscription.
At the top of the blade, click Add.
Select the Contributor role.
This role allows assigned users to fetch new Azure logs.
- Select the Service principal you created previously to assign the role to the subscription.
Click Save and OK.
The system responds with the following message:
Added user. <User_names> were added as Contributor for <name-of-your-subscription>.
You can now complete the Azure Credentials step of the USM Anywhere Sensor setup (see Azure Credentials).